Professional Documents
Culture Documents
Security Audit PM
Security Audit PM
Prabhaker Mateti
What is a security audit?
• Policy based
• Assessment of risk
• Examines site methodologies and practices
• Dynamic
• Communication
What kinds of Security Audits are
there?
• Host
• Firewall
• Networks
• Large networks
Security Policies &
Documentation
• What is a security policy?
• Components
• Who should write it?
• How long should it be?
• Dissemination
• It walks, it talks, it is alive..
• RFC 1244
• What if a written policy doesn't exist?
• Other documentation
Components of a Security Policy
• Who can use resources
• Proper use of the resources
• Granting access & use
• System Administrator privileges
• User rights & responsibilities
• What to do with sensitive information
• Desired security configurations of systems
RFC 1244
``Site Security Handbook''
• Nmap
• SAINT/SATAN/ISS
• Crack
• Nessus
• COPS/Tiger
Follow Startup Execution
• Boot (P)ROMS
• init
• Startup programs (rc.* like files)
Check static items
• Examine all config files of running
processes (inetd.conf, sendmail.cf, etc.)
• Examine config files of programs that can
start up dynamically (ftpd, etc.)
Search for privileged programs
• Find all SUID/SGID programs
• Look at all programs executed as root
• Examine:
– Environment
– Paths to execution
– Configuration files
Examine all Trust
• rhosts, hosts.equiv
• NFS, NIS
• DNS
• Windowing systems
• User traffic and interactive flow
Check Extra Network Services
• NFS/AFS/RFS
• NIS
• News
• WWW/httpd
• Proxy (telnet, ftp, etc.)
• Authentication (Kerberos, security tokens, special
services)
• Management Protocols (SNMP, etc.)
Check for replacement programs
• wuftpd
• TCP wrappers
• Logdaemon
• Xinetd
• GNU fingerd
Code review ``home grown''/non
standard programs
• Network daemons
• Anything SUID, SGID
• Programs run as system account
• CGI's
Code review, etc(cont.)
• Bad signs:
– external commands (system, shell, etc.)
– /usr/ucb/mail
– large size
– No documentation
– No comments in code
– No source code available
Actively test defenses
• packet screens
• TCP wrappers
• Other defense programs
Safeguard Data & Report
• Save for the next audit
• Do not keep online
• Use strong encryption if stored
electronically
• Limit distribution to those who ``need to
know''
• Print out report, sign, and number copies